At the Forge - OpenID

An introduction to OpenID, an open-source, distributed, single sign-on solution for Internet applications.

Thank goodness for Firefox. Yes, it's a great browser. Yes, it
has all sorts of wonderful plugins that let me do everything from
debugging my Web applications to checking the weather forecast. And, the fact
that it works across multiple platforms makes it even better.

But, as Web-based applications become an increasingly integral part of
my life, I've grown dependent on Firefox's ability to remember my
passwords. It might be silly, or even a bit pathetic, but there is
no way I can remember all the different passwords
I've created over the years. This is especially true for sites
where I've changed my password on occasion, either because my
current password expired or because I decided to change it.

This also means that when I use a different browser, or even a
different computer, I'm often at a total loss. Sure, I remember some
of my passwords, but there is no easy way for me to keep track of all
of them without writing them down somewhere. So, I do the digital
equivalent—storing them in my browser—and make sure I
have my laptop with me wherever I go.

Juggling multiple passwords isn't new, of course. Even before the
growth of Web applications, people were logging in to different computers,
networks, e-mail accounts, database systems and so on. A
number of companies made quite a bit of money from “single
sign-on”,
offering back-end solutions that allowed people to log in to a
single computer, providing them with access to many different ones.

But, although the problem might not be new, its scale is unprecedented.
We no longer are worried about several hundreds or thousands of individuals
keeping track of a dozen passwords, with access to an IT support
department. Rather, we now have to worry about many millions of
people, each of whom has dozens of passwords and little or no
technical support for any of them.

Moreover, each Web site has its own particular needs, not to mention
its own unique user interface. And, to top it off, the world is quite
different from a corporation; you can't impose a standard
solution from above. Rather, there must be a way to introduce
competition into the equation, such that individuals can choose their
own single sign-on provider.

Over the years, a number of companies have tried to enter this space
for Internet applications. Perhaps the most famous (or infamous) was
Microsoft's .NET Passport (now known as Windows Live ID), which was
launched with great fanfare—and quickly attracted a great deal of
negative attention related to privacy concerns. Even if
Microsoft's product was technically excellent (and I'm not
knowledgeable enough to judge it), people did not want to be told with
whom they must entrust private and sensitive data.

An increasingly popular solution to this problem is OpenID. OpenID is
not necessarily a new technology; it has existed in some form or
another for several years already. However, it rapidly is picking up
steam—so much that right before I wrote these words in February 2008, we
saw Microsoft, Google, IBM, VeriSign and Yahoo embrace OpenID.

Now, it's true that the number of sites supporting OpenID is
currently small—numbering about 8,000 at the time of this writing. However, the
number is growing rapidly, and I expect the pace will pick up
as the aforementioned Internet giants begin to get involved.

What if you're smaller than Google or Microsoft? Is OpenID
worth adding to your site? Is it relatively easy? The answer to
both questions, I'm happy to say, is yes.

This month, I discuss the user side of OpenID—how you
register for an OpenID and how you manage it. I also explain
how the OpenID specification takes into account the fact that you
might eventually need to change providers.

The Basics of OpenID

The term OpenID refers both to a person's unique identifier and to
the standard describing all the technology around that identifier.
To create an OpenID, you must register with an OpenID provider. Once
you have registered your OpenID, it is the provider that authenticates
you for every OpenID-enabled application you use. In other
words, the OpenID provider is responsible for checking your identity,
which normally means confirming that the user name and password you
enter are acceptable.

Thus, logging in to a site with OpenID means the following happens:

You tell the Web application you want to log in with the OpenID
protocol.

You enter your OpenID (more detail on this shortly)
into the application's login screen.

The application sends you to the login screen for your OpenID
provider.

If the provider accepts your credentials (normally, your user name and
password), it asks you to confirm that your identity may be exported
to the Web application, and if it may do so in the future as well.
Obviously, if you indicate you are willing to share your
identity with this Web application in the future, you will skip this
step in the future.

Once allowed to export your identity to the Web application, you are
returned to the original application you wanted to use, logged in
and ready to use it.

Notice there are a few important differences here between OpenID
and a “standard” login system. First, users authenticate
against a different site from the one they are trying to use. This is
similar to making a purchase via Google Checkout or PayPal, both of
which require that users authenticate themselves and authorize the
purchase amount on their own sites, rather than on the site belonging
to the on-line store.

Some critics of OpenID say that users may be surprised or confused by
the switch from one site to another, but I think Google Checkout
and PayPal have demonstrated that a reasonable number of people are
not put off by switching back and forth. Moreover, I have read that
Firefox 3 will include some integrated OpenID support, which might
remove some of the need to switch sites—or at least make it appear
more integrated. However, I've been using the beta of Firefox 3 for
several months and have yet to experience such integration.

And, although I use the term Web application, there is no requirement
that OpenID be used only for Web-based applications. I expect that as
OpenID takes hold, a large number of Internet-based applications,
obviously including those that run on the Web, will use OpenID. However,
there's no reason why non-Web applications and services couldn't use
OpenID as well. I even can imagine a day when you might use OpenID to
enter your house or confirm your identity to your burglar-alarm
company. In the world of OpenID, end-user applications are known as
consumers, just as the OpenID authentication systems are known as
providers.

Most OpenID providers authenticate users with a user name and password.
Over time, we can expect them to go in other directions as well—for
example, using biometric authentication systems. And, although OpenID
providers currently offer their services for free, it's not hard to
imagine a time in which some companies will charge for OpenID
services, while others will support themselves via advertising. Because
users
can switch OpenID providers at any time, and because
users have a choice as to which one they will use, we
can expect both competition and ingenuity to be the rule.

One company, Vidoop, has a particularly interesting authentication
mechanism, in which users select a pattern of images as their
“password”. Each time a user wants to authenticate, a set of
images—including those that the user has selected—appears on a 3x3
grid, with each image in a randomly selected location and a random
letter placed next to it. This effectively creates a one-time
password, which users enter by typing the letters associated with
the ordered set of images they originally chose.

Finally, I should note that you can create and use as many OpenIDs as
you like, just as you would normally create as many user names as you like
on a Web site. Some people do this to separate their work ID
from their personal ID, or just because they prefer not to put all of
their eggs in one authentication basket. Regardless, OpenID allows
you to do this—although it is ironic that a single sign-on solution
would spur people to create multiple identities.

Comments

Comment viewing options

You make Firefox look like the best thing since sliced bread. Firefox is not as good as Opera and Safari these two browsers are closed so they are more secure. Try Opera on your Linux Box. I use Safari on all my Mac's I did try the OS X version of Firefox the UI and everything is ugly!

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.